KUBE_API_ARGS="\
    --advertise-address={{ ansible_default_ipv4.address }} \
    --secure-port=6443 \
    --allow-privileged=true \
    --audit-log-format=json \
    --audit-log-maxage=7 \
    --audit-log-maxbackup=10 \
    --audit-log-maxsize=100 \
    --audit-policy-file=/etc/kubernetes/audit-policy.yaml \
    --audit-log-path=/var/log/kubernetes/audit.log \
    --authorization-mode=RBAC,Node \
    --client-ca-file=/etc/kubernetes/pki/ca.pem \
    --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeClaimResize,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority \
    --enable-bootstrap-token-auth=true \
    --etcd-cafile=/etc/kubernetes/pki/etcd-ca.pem \
    --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.pem \
    --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key \
    --etcd-servers={% set pk = groups['etcd'] %}{% for host in pk %}https://{{ host }}:2379{% if not loop.last %},{% endif %}{% endfor %} \
    --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.pem \
    --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key \
    --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
    --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.pem \
    --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key \
    --requestheader-allowed-names=front-proxy-client \
    --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
    --requestheader-extra-headers-prefix=X-Remote-Extra- \
    --requestheader-group-headers=X-Remote-Group \
    --requestheader-username-headers=X-Remote-User \
    --service-account-key-file=/etc/kubernetes/pki/sa.pub \
    --service-account-issuer=https://kubernetes.default.svc.cluster.local \
    --service-account-signing-key-file=/etc/kubernetes/pki/sa.key \
    --service-cluster-ip-range={{ kubernetes.service_addresses }} \
    --tls-cert-file=/etc/kubernetes/pki/apiserver.pem \
    --tls-private-key-file=/etc/kubernetes/pki/apiserver.key \
    --service-node-port-range=30000-50000 \
    --storage-backend=etcd3 \
    --anonymous-auth=false \
    --default-not-ready-toleration-seconds=300 \
    --default-unreachable-toleration-seconds=300 \
    --v=2"
